1. Computer Based Information Systems Control UAA – ACCT 316 – Fall 2003 Accounting Information Systems Dr. Fred Barbee

2. Control Classifications By ObjectivesBy SettingsBy Risk Aversion Administrative Accounting General Application Input Processing Output Corrective Preventive Detective By System Architectures Manual Systems Computer Based Systems Batch Processing Online Processing Data Base SAS 29 (1958) Text Chapter 7 This Chapter

3. Control Classifications By ObjectivesBy SettingsBy Risk Aversion Administrative Accounting General Application Input Processing Output Corrective Preventive Detective By System Architectures Manual Systems Computer Based Systems Batch Processing Online Processing Data Base Encourage adherence to management policies and procedures. Promote operational efficiency. Safeguard assets Ensure accuracy of accounting data and information.

4. Input Process Output Sensor Bench- mark Detective and Corrective Controls Corrective Controls Preventive, Detective, and Corrective Controls

5. Discover the occurrence of adverse events. Tend to be active in nature. After the fact controls

6. Lead to the righting of effects caused by adverse events. Tend to be more active than detective controls.

7. Block adverse events, such as errors or losses from occurring. Tend to be passive in nature.

8. Control Classifications By ObjectivesBy SettingsBy Risk Aversion Administrative Accounting General Application Input Processing Output Corrective Preventive Detective By System Architectures Manual Systems Computer Based Systems Batch Processing Online Processing Data Base Ensure that overall IS is stable and well maintained. Ensure the accuracy of specific applications, inputs, files, programs & outputs.

9. Control Classifications By ObjectivesBy SettingsBy Risk Aversion Administrative Accounting General Application Input Processing Output Corrective Preventive Detective By System Architectures Manual Systems Computer Based Systems Batch Processing Online Processing Data Base

10. What Constitutes A Reliable System

11. What Constitutes Reliability? Availability Security Maintainability Integrity

12. Corrective Preventive Detective General Application Input Processing Output Administrative Accounting By Risk AversionBy SettingsBy Objectives Control Classifications By System Architectures Manual Systems Computer Based Systems Batch Processing Online Processing Data Base

13. Controls – The Text Approach Key General Reliability Controls (> than one reliability principle) - Table 8-1 Key Availability Controls - Table 8-2 Key Security Controls - Table 8-3 Key Maintainability Controls - Table 8-4 Key Integrity Controls – Table 8-5

14. General Reliability Controls Strategic Planning & Budgeting Developing a System Reliability Plan Documentation

15. Key Availability Controls Minimizing System Downtime Disaster Recovery Plan

16. Key Security Controls Segregation of Duties in Systems Function

17. The Text Notes... In a highly integrated AIS, procedures that used to be performed by separate individuals are combined. Therefore, any person who has unrestricted access to the computer, its programs, and live data could have the opportunity to both perpetrate and conceal fraud.

18. The Text Notes... To combat this threat, organizations must implement compensating control procedures such as the effective segregation of duties within the AIS function.

19. Organizational Independence Within the Information Systems Function of a Firm using Computer-Based processing Source: AIS, Wilkinson & Cerullo

20. Information Systems Manager Steering Committee Planning Staff Data-Base Administrator Technical Services Manager Systems Development Manager Data Processing Manager Information Center Systems Analysis & Projects Programming Data Preparation Computer Operations Data Library Data Control Tasks which CREATE systems. Tasks which OPERATE systems. These two functions need to be ORGANIZATIONALLY and PHYSICALLY separated

21. Flow of batched data within several units of an organization using computer-based processing. Source: AIS, Wilkinson & Cerullo

22. Data Input Data Input Outputs Errors to be corrected Errors to be corrected Receive & Log Receive & Log Convert Data Convert Data Process Files Log & Distribute Log & Distribute Outputs Error Listing Error Listing Files User Departments Computer-Based Data Processing Department Control Section Data Preparation Section Computer Operations Data Library Record input data in control log. Follow progress of processing. Maintains control totals Reconciles totals during processing. Distribute output. Monitors correction of errors.

23. Data Input Data Input Outputs Errors to be corrected Errors to be corrected Receive & Log Receive & Log Convert Data Convert Data Process Files Log & Distribute Log & Distribute Outputs Error Listing Error Listing Files User Departments Computer-Based Data Processing Department Control Section Data Preparation Section Computer Operations Data Library Prepare and verify data for entry into processing. What controls do we have here? Batch controls Various computer input controls.

24. Data Input Data Input Outputs Errors to be corrected Errors to be corrected Receive & Log Receive & Log Convert Data Convert Data Process Files Log & Distribute Log & Distribute Outputs Error Listing Error Listing Files User Departments Computer-Based Data Processing Department Control Section Data Preparation Section Computer Operations Data Library Processes data to produce outputs. What controls do we have here? Various computer processing controls.

25. Simplified organizational separation in a computer- based system using on-line processing. Source: AIS, Wilkinson & Cerullo

26. User Departments Computer Operations On-Line Files (Data Library) Data Inputs Displayed Outputs Displayed Outputs Printed Outputs Printed Outputs Process Batch Files Batch Files On- Line Files On- Line Files

27. Subdivisions of transaction (application) controls and typical control points. Source: AIS, Wilkinson & Cerullo

28. Source Document Manual Entry Convert To MRF Trans. Data Editing Computer-Based Data Processing Source Document User Transaction Via Terminal Soft-Copy Output Input Controls Processing Controls Output Controls Control Point

29. Key Security Controls Segregation of Duties in Systems Function Physical Access Controls

30. Perimeter ControlBuilding Controls Computer Facility Controls

31. Key Security Controls Segregation of Duties in Systems Function Physical Access Controls Logical Access Controls

32. Identification Authentication Access Rights Threat Monitoring

33. Key Security Controls Protection of Personal Computers and Client/Server Networks Internet and e-commerce Controls

34. Key Maintainability Controls Project Development and Acquisition Controls. Change Management Controls

35. Control Classifications By ObjectivesBy SettingsBy Risk Aversion Administrative Accounting General Application Input Processing Output Corrective Preventive Detective By System Architectures Manual Systems Computer Based Systems Batch Processing Online Processing Data Base Ensure that overall IS is stable and well maintained. Ensure the accuracy of specific applications, inputs, files, programs & outputs.

36. Objectives of Application Controls To prevent, detect, and correct errors in transactions as they flow through the various stages of a specific data processing program. Input Process Output

37. The text correctly notes... If application controls are weak  AIS output is likely to contain errors.  Erroneous data leads to significant potential problems Objectives of Application Controls

38. Key Integrity Controls Source Data Controls Input Validation Controls On-Line Data Entry Controls Data Processing and Storage Controls

39. Key Integrity Controls Output Controls Data Transmission Controls

40. Input Process Output Source Data Input Validation On-line Data Entry Data Processing Storage Data Transmission Output

41. Key Integrity Controls Source Data Controls

42. Ensure that all source documents are authorized, accurate, complete, properly accounted for and entered into the system or sent to their intended destinations in a timely manner.

43. Source Data Controls Forms Design Prenumbered Forms Sequence Test Turnaround Documents Cancelation and Storage of Documents

44. Source Data Controls Authorization and Segregation of Duties Visual Scanning Check Digit Verification Key Verification

45. Key Integrity Controls Input Validation Controls

46. Input Validation Routines Routines that check the integrity of input data as the data are entered into the system. Edit Programs  Edit Checks

47. Input Validation Routines Sequence Check Field Check Sign Check Validity Check Limit Check

48. Input Validation Routines Range Check Reasonableness Test Redundant Data Check Capacity Check

49. Key Integrity Controls On-Line Data Entry Controls

50. To ensure the integrity of transaction data entered from on-line terminals and PCs by minimizing errors and omissions.

51. On-Line Data Entry Controls Input Validation Routines User ID and Passwords Automatic Entering of Data Prompting Preformatting

52. On-Line Data Entry Controls Completeness Check Closed-Loop Verification Transaction Log Error Messages Record Retention

53. Key Integrity Controls Data Processing and Storage Controls

54. Processing/Storage Controls Preserve the integrity of data processing and stored data.

55. Processing/Storage Controls Policies and procedures Data Control Function Reconciliation procedures External data Reconciliation Exception reporting

56. Data Input Data Input Outputs Errors to be corrected Errors to be corrected Receive & Log Receive & Log Convert Data Convert Data Process Files Log & Distribute Log & Distribute Outputs Error Listing Error Listing Files User Departments Computer-Based Data Processing Department Control Section Data Preparation Section Computer Operations Data Library

57. Processing/Storage Controls Data currency checks Default values Data matching File labels Write Protection mechanisms

58. Processing/Storage Controls Database Protection Mechanisms Data Conversion Controls Data Security

59. Key Integrity Controls Output Controls

60. Review all output for reasonableness and proper format Reconcile output and input control totals daily Distribute output to appropriate user departments

61. Output Controls Protect sensitive or confidential outputs Store sensitive/confidential data in secure area Require users to review completeness and accuracy of all output

62. Output Controls Shred or otherwise destroy sensitive data. Correct errors found on output reports.

63. Key Integrity Controls Transmission Controls